Re: [PATCH] SELinux: Dontaudit access to dri devices

Hi, On Mon, Mar 30, 2026 at 05:15:42PM +0200, Stefano Brivio wrote:

On Mon, 30 Mar 2026 13:05:57 +0200 Johannes Segitz wrote:

...

Currently podman can pass a FD to a DRI device to pasta, leading to AVCs like this: avc: denied { read write } comm="pasta" path="/dev/dri/renderD128" scontext=unconfined_u:unconfined_r:pasta_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file These are harmless, so dontaudit them

Signed-off-by: Johannes Segitz

Thanks for the patch.

I'm wondering how can this still happen though, as commit 09603cab28f9 ("passt, util: Close any open file that the parent might have leaked") should take care of those. Do you happen to know?

No, I just read the code and it seems like this should prevent this. I unfortunately can't debug this in depth, because it doesn't happen on my system. The reporter is helpful with debugging, but going into gdb sessions with remote hands doesn't sound feasible ;)

Perhaps the access happens before we call isolate_initial()... but then I guess we should try to close leaked files before that point, to be on the safe side?

Would be worth a try. If you have a patch for that I can provide an updated package to the reporter and ask him to test it Johannes -- GPG Key EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Software Solutions Germany GmbH, Frankenstr. 146, 90461 Nürnberg, Germany Geschäftsführer: Jochen Jaser, Andrew McDonald, Werner Knoblich, (HRB 36809, AG Nürnberg)